This detection rule, authored by Elastic, focuses on identifying instances where a non-root user attempts to load a Linux kernel module through system calls. The act of loading kernel modules is typically restricted to root users due to the potential for altering system behavior, which makes this activity suspicious and indicative of possible threats such as rootkit installations. The rule works by analyzing events collected from the Auditd Manager, part of the Linux Audit Framework, to monitor for kernel module loading operations initiated by users that are not root (user ID != 0). By targeting these specific syscall events— `init_module` and `finit_module`—the rule aims to close gaps in other monitoring processes that may overlook such low-level operations. The rule has a medium severity and a risk score of 47, demanding attention for incidents flagged by it. The response to alerts from this rule should involve careful investigation of the non-root user's activity and immediate remediation actions to secure the affected system.